'\" te
.\" Copyright (c) 2017 Peter Tribble
.\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
.\"  See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with
.\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH AUDIT.LOG 5 "Mar 6, 2017"
.SH NAME
audit.log \- audit trail file
.SH SYNOPSIS
.LP
.nf
\fB#include <bsm/audit.h>\fR
.fi

.LP
.nf
\fB#include <bsm/audit_record.h>\fR
.fi

.SH DESCRIPTION
.LP
\fBaudit.log\fR files are the depository for audit records stored locally or on
an NFS-mounted audit server. These files are kept in directories as specified
by the \fBp_dir\fR attribute of the \fBaudit_binfile\fR(7) plugin. They are
named to reflect the time they are created and are, when possible, renamed to
reflect the time they are closed as well. The name takes the form
.sp
.LP
\fIyyyymmddhhmmss\fR\fB\&.not_terminated.\fR\fIhostname\fR
.sp
.LP
when open or if \fBauditd\fR(8) terminated ungracefully, and the form
.sp
.LP
\fIyyyymmddhhmmss\fR\fB\&.\fR\fIyyyymmddhhmmss\fR\fB\&.\fR\fIhostname\fR
.sp
.LP
when properly closed. \fByyyy\fR is the year, \fBmm\fR the month, \fBdd\fR day
in the month, \fBhh\fR hour in the day, \fBmm\fR minute in the hour, and
\fBss\fR second in the minute. All fields are of fixed width.
.sp
.LP
Audit data is generated in the binary format described below; the default for
audit is binary format. See \fBaudit_syslog\fR(7) for an alternate data
format.
.sp
.LP
The \fBaudit.log\fR file begins with a standalone \fBfile token\fR and
typically ends with one also. The beginning \fBfile token\fR records the
pathname of the previous audit file, while the ending \fBfile token\fR records
the pathname of the next audit file. If the file name is \fBNULL\fR the
appropriate path was unavailable.
.sp
.LP
The \fBaudit.log\fR files contains audit records. Each audit record is made up
of \fIaudit tokens\fR. Each record contains a header token followed by various
data tokens. Depending on the audit policy in place by \fBauditon\fR(2),
optional other tokens such as trailers or sequences may be included.
.sp
.LP
The tokens are defined as follows:
.sp
.LP
The \fBfile\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
seconds of time         4 bytes
microseconds of time    4 bytes
file name length        2 bytes
file pathname           N bytes + 1 terminating NULL byte
.fi
.in -2
.sp

.sp
.LP
The \fBheader\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
record byte count       4 bytes
version #               1 byte    [2]
event type              2 bytes
event modifier          2 bytes
seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
nanoseconds of time     4 bytes/8 bytes (32-bit/64-bit value)
.fi
.in -2
.sp

.sp
.LP
The expanded \fBheader\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
record byte count       4 bytes
version #               1 byte     [2]
event type              2 bytes
event modifier          2 bytes
address type/length     1 byte
machine address         4 bytes/16 bytes (IPv4/IPv6 address)
seconds of time         4 bytes/8 bytes  (32/64-bits)
nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
.fi
.in -2
.sp

.sp
.LP
The \fBtrailer\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
trailer magic number    2 bytes
record byte count       4 bytes
.fi
.in -2
.sp

.sp
.LP
The  \fBarbitrary\fR \fBdata\fR token is defined:
.sp
.in +2
.nf
token ID                1 byte
how to print            1 byte
basic unit              1 byte
unit count              1 byte
data items              (depends on basic unit)
.fi
.in -2
.sp

.sp
.LP
The \fBin_addr\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
IP address type/length  1 byte
IP address        4 bytes/16 bytes (IPv4/IPv6 address)
.fi
.in -2
.sp

.sp
.LP
The expanded \fBin_addr\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
IP address type/length  4 bytes/16 bytes (IPv4/IPv6 address)
IP address             16 bytes
.fi
.in -2
.sp

.sp
.LP
The \fBip\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
version and ihl         1 byte
type of service         1 byte
length                  2 bytes
id                      2 bytes
offset                  2 bytes
ttl                     1 byte
protocol                1 byte
checksum                2 bytes
source address          4 bytes
destination address     4 bytes
.fi
.in -2
.sp

.sp
.LP
The expanded \fBip\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
version and ihl         1 byte
type of service         1 byte
length                  2 bytes
id                      2 bytes
offset                  2 bytes
ttl                     1 byte
protocol                1 byte
checksum                2 bytes
address type/type       1 byte
source address          4 bytes/16 bytes (IPv4/IPv6 address)
address type/length     1 byte
destination address     4 bytes/16 bytes (IPv4/IPv6 address)
.fi
.in -2
.sp

.sp
.LP
The \fBiport\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
port IP address         2 bytes
.fi
.in -2
.sp

.sp
.LP
The \fBpath\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
path length             2 bytes
path                    N bytes + 1 terminating NULL byte
.fi
.in -2
.sp

.sp
.LP
The \fBpath_attr\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
count                   4 bytes
path                    \fIcount\fR null-terminated string(s)
.fi
.in -2
.sp

.sp
.LP
The \fBprocess\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
audit ID                4 bytes
effective user ID       4 bytes
effective group ID      4 bytes
real user ID            4 bytes
real group ID           4 bytes
process ID              4 bytes
session ID              4 bytes
terminal ID	
  port ID               4 bytes/8 bytes (32-bit/64-bit value)
  machine address       4 bytes
.fi
.in -2
.sp

.sp
.LP
The expanded \fBprocess\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
audit ID                4 bytes
effective user ID       4 bytes
effective group ID      4 bytes
real user ID            4 bytes
real group ID           4 bytes
process ID              4 bytes
session ID              4 bytes
terminal ID	
  port ID               4 bytes/8 bytes (32-bit/64-bit value)
  address type/length   1 byte
  machine address       4 bytes/16 bytes (IPv4/IPv6 address)
.fi
.in -2
.sp

.sp
.LP
The \fBreturn\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
error number            1 byte
return value            4 bytes/8 bytes (32-bit/64-bit value)
.fi
.in -2
.sp

.sp
.LP
The \fBsubject\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
audit ID                4 bytes
effective user ID       4 bytes
effective group ID      4 bytes
real user ID            4 bytes
real group ID           4 bytes
process ID              4 bytes
session ID              4 bytes
terminal ID	
  port ID               4 bytes/8 bytes (32-bit/64-bit value)
  machine address       4 bytes
.fi
.in -2
.sp

.sp
.LP
The expanded \fBsubject\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
audit ID                4 bytes
effective user ID       4 bytes
effective group ID      4 bytes
real user ID            4 bytes
real group ID           4 bytes
process ID              4 bytes
session ID              4 bytes
terminal ID	
  port ID               4 bytes/8 bytes (32-bit/64-bit value)
  address type/length   1 byte
  machine address       4 bytes/16 bytes (IPv4/IPv6 address)
.fi
.in -2
.sp

.sp
.LP
The \fBSystem V IPC\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
object ID type          1 byte
object ID               4 bytes
.fi
.in -2
.sp

.sp
.LP
The \fBtext\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
text length             2 bytes
text                    N bytes + 1 terminating NULL byte
.fi
.in -2
.sp

.sp
.LP
The \fBattribute\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
file access mode        4 bytes
owner user ID           4 bytes
owner group ID          4 bytes
file system ID          4 bytes
node ID                 8 bytes
device                  4 bytes/8 bytes (32-bit/64-bit)
.fi
.in -2
.sp

.sp
.LP
The \fBgroups\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
number groups           2 bytes
group list              N * 4 bytes
.fi
.in -2
.sp

.sp
.LP
The \fBSystem V IPC permission\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
owner user ID           4 bytes
owner group ID          4 bytes
creator user ID         4 bytes
creator group ID        4 bytes
access mode             4 bytes
slot sequence #         4 bytes
key                     4 bytes
.fi
.in -2
.sp

.sp
.LP
The \fBarg\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
argument #              1 byte
argument value          4 bytes/8 bytes (32-bit/64-bit value)
text length             2 bytes
text                    N bytes + 1 terminating NULL byte
.fi
.in -2
.sp

.sp
.LP
The \fBexec_args\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
count                   4 bytes
text                    \fIcount\fR null-terminated string(s)
.fi
.in -2
.sp

.sp
.LP
The \fBexec_env\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
count                   4 bytes
text                    \fIcount\fR null-terminated string(s)
.fi
.in -2
.sp

.sp
.LP
The \fBexit\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
status                  4 bytes
return value            4 bytes
.fi
.in -2
.sp

.sp
.LP
The \fBsocket\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
socket type             2 bytes
remote port             2 bytes
remote Internet address 4 bytes
.fi
.in -2
.sp

.sp
.LP
The expanded \fBsocket\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
socket domain           2 bytes
socket type             2 bytes
local port              2 bytes
address type/length     2 bytes
local port              2 bytes
local Internet address  4 bytes/16 bytes (IPv4/IPv6 address)
remote port             2 bytes
remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
.fi
.in -2
.sp

.sp
.LP
The \fBseq\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
sequence number         4 bytes
.fi
.in -2
.sp

.sp
.LP
The \fBprivilege\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
text length             2 bytes
privilege set name      N bytes + 1 terminating NULL byte
text length             2 bytes
list of privileges      N bytes + 1 terminating NULL byte
.fi
.in -2

.sp
.LP
The \fBuse-of-auth\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
text length             2 bytes
authorization(s)        N bytes + 1 terminating NULL byte
.fi
.in -2

.sp
.LP
The \fBuse-of-privilege\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
succ/fail               1 byte
text length             2 bytes
privilege used          N bytes + 1 terminating NULL byte
.fi
.in -2

.sp
.LP
The \fBcommand\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
count of args           2 bytes
argument list           (count times)
text length             2 bytes
argument text           N bytes + 1 terminating NULL byte
count of env strings    2 bytes
environment list        (count times)
text length             2 bytes
env. text               N bytes + 1 terminating NULL byte
.fi
.in -2

.sp
.LP
The \fBACL\fR token consists of:
.sp
.in +2
.nf
token ID			    1 byte
type				    4 bytes
value			    4 bytes
file mode			    4 bytes
.fi
.in -2

.sp
.LP
The ACE token consists of:
.sp
.in +2
.nf
token ID           1 byte
who                4 bytes
access_mask        4 bytes
flags              2 bytes
type               2 bytes
.fi
.in -2

.sp
.LP
The \fBzonename\fR token consists of:
.sp
.in +2
.nf
token ID            1 byte
name length         2 bytes
name                \fI<name length>\fR including terminating NULL byte
.fi
.in -2

.sp
.LP
The \fBfmri\fR token consists of:
.sp
.in +2
.nf
token ID            1 byte
fmri length         2 bytes
fmri                \fI<fmri length>\fR including terminating NULL byte
.fi
.in -2

.sp
.LP
The \fBlabel\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
label ID                1 byte
compartment length      1 byte
classification          2 bytes
compartment words       \fI<compartment length>\fR * 4 bytes
.fi
.in -2

.sp
.LP
The \fBxatom\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
string length           2 bytes
atom string             \fIstring length\fR bytes
.fi
.in -2

.sp
.LP
The \fBxclient\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
client ID               4 bytes
.fi
.in -2

.sp
.LP
The \fBxcolormap\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
XID                     4 bytes
creator UID             4 bytes
.fi
.in -2

.sp
.LP
The \fBxcursor\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
XID                     4 bytes
creator UID             4 bytes
.fi
.in -2

.sp
.LP
The \fBxfont\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
XID                     4 bytes
creator UID             4 bytes
.fi
.in -2

.sp
.LP
The \fBxgc\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
XID                     4 bytes
creator UID             4 bytes
.fi
.in -2

.sp
.LP
The \fBxpixmap\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
XID                     4 bytes
creator UID             4 bytes
.fi
.in -2

.sp
.LP
The \fBxproperty\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
XID                     4 bytes
creator UID             4 bytes
string length           2 bytes
string                  \fIstring length\fR bytes
.fi
.in -2

.sp
.LP
The \fBxselect\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
property length         2 bytes
property string         \fIproperty length\fR bytes
prop. type len.         2 bytes
prop type               \fIprop. type len.\fR bytes
data length             2 bytes
window data             \fIdata length\fR bytes
.fi
.in -2

.sp
.LP
The \fBxwindow\fR token consists of:
.sp
.in +2
.nf
token ID                1 byte
XID                     4 bytes
creator UID             4 bytes
.fi
.in -2

.SH ATTRIBUTES
.LP
See \fBattributes\fR(7) for descriptions of the following attributes:
.sp

.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE	ATTRIBUTE VALUE
_
Interface Stability	See below.
.TE

.sp
.LP
The binary file format is Committed. The binary file contents is Uncommitted.
.SH SEE ALSO
.LP
.BR audit (2),
.BR auditon (2),
.BR au_to (3BSM),
.BR audit_binfile (7),
.BR audit_remote (7),
.BR audit_syslog (7),
.BR audit (8),
.BR auditd (8)
.SH NOTES
.LP
Each token is generally written using the \fBau_to\fR(3BSM) family of function
calls.
